AHRQ WebM&M: Morbidity and Mortality Rounds on the Web
Privacy or Safety?Commentary by John D. Halamka, MD, MS, and Deven McGraw, JD, MPH, LLM
- Understand that the HIPAA Omnibus Rule is an enabler of data sharing, not a barrier.
- Review common misconceptions about privacy rules.
- Understand the current regulatory environment beyond HIPAA including the HITECH Act, which attempts to balance privacy and safety.
A 64-year-old man with advanced dementia was admitted after being placed on a hold for grave disability. Family members noted he had a week of worsening confusion and agitation. The patient was undergoing a diagnostic workup for his altered mental status with a plan for a brain MRI if the etiology was still unclear. The cross-covering overnight resident was following up on the studies and placed an order for a brain MRI as discussed with the primary team at signout.
In this hospital, signout occurred with a paper-based system. In order to protect patient privacy, hospital policy dictated that signout documentation includes only patients' initials rather than more identifiable information such as full names or dates of birth. In this case, the patient requiring the brain MRI had the same initials as another patient on the same unit who also happened to have severe cognitive impairment from a traumatic brain injury. The cross-covering resident mixed up the two patients and placed the MRI order in the wrong chart. Because the order for a "brain MRI to evaluate worsening cognitive function" could apply to either patient, neither the bedside nurse nor radiologist noticed the error. The following morning, the primary team caught the error and the MRI was canceled and ordered for the correct patient. The near miss led to several discussions about optimizing signout processes while also protecting patient privacy.
1. Pritts JL. The Importance and Value of Protecting the Privacy of Health Information: The Roles of the HIPAA Privacy Rule and the Common Rule in Health Research. [Available at]
2. McGraw D, Dempsey JX, Harris L, Goldman J. Privacy as an enabler, not an impediment: building trust into health information exchange. Health Aff (Millwood). 2009;28:416-427. [go to PubMed]
3. Solove DJ. HIPAA turns 10: analyzing the past, present and future impact. J AHIMA. 2013;84:22-28.[Available at]
4. Beckel A, Grace S. The list: six HIPAA myths debunked. January 1, 2009. [Available at]
5. Summary of the HIPAA Privacy Rule. Washington, DC: US Department of Health and Human Services.[Available at]
6. HIPAA Administrative Simplification. Washington, DC: US Department of Health and Human Services. 42 CFR Section 164.502(a)(1) (2013). [Available at]
7. HIPAA Administrative Simplification. Washington, DC: US Department of Health and Human Services. 42 CFR Section 164.502(b)(2)(i) (2013). [Available at]
8. Minimum Necessary Requirement. Washington, DC: US Department of Health and Human Services. 45 CFR Section 164.502(b), 164.514(d) (2003). [Available at]
9. McMillan M. Five things to know about omnibus HIPAA enforcement. Government Health IT. October 28, 2013. [Available at]
10. Does the HIPAA Privacy Rule Preempt State Laws? Washington, DC: US Department of Health and Human Services. [Available at]
11. Daniel J, Posnack S. Privacy and Security Solutions for Interoperable Health Information Exchange: Report on State Medical Record Access Laws. Rockville, MD: Agency for Healthcare Research and Quality; August 2009. Contract No. 290-05-0015. [Available at]
12. Perna G. ONC: EHR adoption in hospitals has tripled since HITECH. Healthcare Informatics. March 5, 2013.[Available at]
13. McGraw D. Paving the regulatory road to the "learning health care system." Stanford Law Rev Online. 2012;64:75-81. [Available at]
14. McGraw D, Ingargiola S. Patients: the "X" factor for health information exchange. iHealthBeat. December 18, 2014. [Available at]